This is a plain-English privacy policy. It explains what data PainKiller Consulting collects when you use this website, why we collect it, how we look after it, and the rights you have over it.
Who we are
PainKiller Consulting is a UK warehouse operations consultancy operated as a sole trader by Sam Mustatea, trading as PainKiller Consulting ("we", "us", "our"). This privacy policy applies to the website painkillerconsulting.co.uk and any services we provide.
For the purposes of UK GDPR and the Data Protection Act 2018, PainKiller Consulting is the data controller for any personal information you provide to us.
What personal information we collect
We only collect personal information that you actively provide, plus standard technical information about how you interact with the website. We don't buy data, scrape data, or collect information about you from third parties.
| Type of information | How we collect it |
|---|---|
| Contact details (name, email, phone) | When you submit a contact form, book a call, or enquire about a service via Tally or Calendly |
| Operational context about your business | When you describe your warehouse operation, challenges, or goals in a form or email |
| Payment information | Processed directly by Stripe — we don't see or store card details |
| Email correspondence | Any emails you send us, retained in our email system |
| Technical data (IP, browser, device) | Standard server logs and (in future) Google Analytics if enabled |
Why we collect it (our lawful basis)
Under UK GDPR we can only process your personal information if we have a lawful reason to do so. Here are the reasons we use:
Performance of a contract
When you buy a service from us, we need your information to deliver that service — communicating about scheduling, sending audit findings, processing payment, etc.
Legitimate interests
When you submit an enquiry, we use your information to respond to it. This is in our legitimate interest (running the business) and yours (getting a reply).
Consent
If we ever ask to send you marketing emails or add you to a newsletter, this is based on your explicit consent and you can withdraw it at any time.
Legal obligations
We may need to retain certain records — for example invoices and contracts — to meet UK tax and accounting law (HMRC typically requires retention for six years).
How long we keep it
- Enquiries that don't result in a contract: 12 months from the last meaningful contact, then deleted
- Client records (contracts, invoices, audit reports): 6 years from the end of the engagement, as required by UK tax law
- Email correspondence: Retained as part of the above, then archived or deleted
- Form submissions in Tally: Retained while the enquiry is active, exported to our records, then deleted from Tally
- Payment records (Stripe): Retained by Stripe per their own policy and by us for accounting purposes (6 years)
Who we share it with
We share information only with carefully-chosen third parties who help us run the business. We don't sell or rent your personal information to anyone. The third parties we currently use are:
- Tally Forms — for form submissions and contact enquiries. Tally is a GDPR-compliant form platform based in the EU.
- Calendly — for diagnostic call booking. Calendly is a US-based platform with appropriate UK/EU data transfer safeguards in place.
- Stripe — for payment processing. Stripe is PCI-DSS compliant and handles card data directly so we never see it.
- GitHub Pages — for hosting the website itself.
- Email provider — for sending and receiving correspondence with you.
- Google Analytics (planned) — we may enable Google Analytics in future to understand how the website is used. Where enabled, this will be disclosed in our cookies policy and you will be able to opt out.
If any of these change, we'll update this policy. We may also be required to disclose information if compelled by UK law — for example, to HMRC, the courts, or the Information Commissioner's Office (ICO).
International transfers
Some of the third-party services we use (such as Calendly and Stripe) are based in the United States or transfer data internationally. Where this happens, we rely on appropriate safeguards under UK GDPR — typically the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or adequacy decisions where applicable.
How we look after your information
We take reasonable technical and organisational measures to protect your personal information. This includes using providers with strong security practices (Tally, Stripe, Calendly, GitHub all maintain industry-standard security), keeping the number of people who access your data to a minimum (in practice, this is Sam), and securing email and device access with strong passwords and two-factor authentication.
That said, no method of transmission or storage is 100% secure. If a data breach occurred that posed a risk to your rights, we would notify you and the ICO within 72 hours as required by UK GDPR.
Your rights
Under UK GDPR you have a number of rights over your personal information. You can exercise any of these by emailing us at info@painkillerconsulting.co.uk:
- Right to access — Ask for a copy of the personal information we hold about you
- Right to rectification — Ask us to correct anything inaccurate
- Right to erasure ("right to be forgotten") — Ask us to delete your information, subject to our legal obligations to retain certain records
- Right to restrict processing — Ask us to stop using your information in certain ways
- Right to data portability — Ask for your information in a format you can transfer to another provider
- Right to object — Object to us processing your information for specific purposes
- Right to withdraw consent — Where we relied on your consent, withdraw it at any time
We aim to respond to all requests within one month. There is no charge for exercising your rights, except in very limited circumstances where requests are excessive or repeated.
Cookies
This website currently uses minimal cookies. For full details — what we use and what we may use in future — see our Cookies Policy.
Children
Our services are aimed at UK business operations and we do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a child, we will delete it.
Changes to this policy
We may update this privacy policy from time to time. The "last updated" date at the top of the page reflects the most recent change. If we make material changes, we'll do our best to notify anyone affected — for example, current clients.
The fastest way to reach us is by email. We respond to all data protection enquiries within 5 working days, and to formal subject access requests within the one-month statutory window.
Email: info@painkillerconsulting.co.uk
If you're unhappy with our response, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.